Creating and Using SSH Keys for AWS

Browse by products and services

Overview

Amazon Web Services (AWS) uses SSH keys to securely connect and exchange information between servers and clients. Using SSH keys greatly increases the security of your sites and applications. This article shows you how to generate and use SSH keys to connect to your AWS account managed by Media Temple.

Instructions

Windows 7/8/10

Key Creation

This guide assumes that you do not already have key pairs. If you have a key pair and you are certain that it is still secure, send the public key (.pub) file to Media Temple via your service portal.

1. Putty is a free SSH client for Windows. This guide will show you how to use Putty to generate your SSH keys and connect to your AWS server. Begin by downloading and installing Putty and it's related SSH key generation tool.

Download both the Putty client (putty.exe) and the putty key generator (puttygen.exe).

2. Open puttygen.exe and click on Generate. You will then be prompted to move your cursor around in the blank key area to generate random data. Do this until the progress bar is full and your key pair has been generated.

3. Once the key has been generated, fill in the Key comment and Key passphrase boxes. We recommend that you use your email address as the key comment. The passphrase will be required whenever you use the key. The key passphrase isn't mandatory and can be skipped by leaving the field blank, but it will significantly reduce the security of your key pair. Media Temple strongly recommends that you supply a password for your key pairs.

4. Save both your public and private keys. We recommend that you create a new folder in Documents titled "SSH" and save your keys there.

Public Key:

user@gmail.com.pub

Private Key:

user@gmail.com.ppk

Some FTP clients and other programs require a key that is in a different format. You can create a converted key by clicking on Conversions and then Export OpenSSH Key. Save this key as user@gmail.com.pem

5. In order to use your new SSH key to connect to your AWS server, you must send your public key user@gmail.com.pub – to Media Temple. The easiest way to do this is to log in to your service portal and click on User Access. Either upload the .pub file to the ticket or open the file and copy/paste the contents into the ticket. After this, please allow up to 12 hours for your SSH keys to be added to your account.

Important: If you are asked to send your SSH Key or Public Key to Media Temple (or anyone else), you will only want to send the PUBLIC key file, which is the file with the “.pub” extension. If you email out the Private Key, it is no longer secure and should be replaced! Never transfer your Private Key off of your computer at any time!

Key Use

After Media Temple has received and confirmed the installation of your keys, you're ready to use them to connect to your server.

There are 3 primary ways to connect to your AWS services.

SSH - Used to issue commands to the server via a shell (terminal).

SFTP - Used to upload/download files. FTP is not allowed due to its relative lack of security.

MySQL - Allows you to query your data in the database.

SSH - Connect with Putty

These instructions show you how to configure Putty to use the SSH keys created earlier in this article.

1. Begin by opening putty.exe. Locate the Auth section in the category bar by opening Connection > SSH > Auth. Click on browse and find the your SSH keys. If you created your keys using this guide, they should be located in an SSH folder inside your Documents folder. Select the .ppk file and click Open.

2. Scroll to the top of the Category menu and select Session. Type your IP address into the Host Name block. If you're using AWS managed by Media Temple, remember that your production and dev servers have different IPs and will require 2 different sessions. Give the connection a name under Saved Sessions and click Save.

3. Once you've saved your server, select it from the list of sessions and click Open. You will receive a warning the first time you connect using your new keys. Click Yes.

4. You'll then be prompted to enter your username for your server. For Media Temple customers, this is the same as your domain. Next, type the passphrase for your key.

5. Once you've entered your password, you should receive a readout similar to the one below. You are now securely connected to your AWS server.

This will put you into the home directory of your user. By default this is: /home/mydomain.com

The default path for the web-root for your app should be at the following path: /home/mydomain.com/mydomain.com

For help with basic SSH commands and Linux file structure, refer to this community article.

SFTP - Connect with Cyberduck

Applications like Cyberduck and FileZilla make it easy to exchange information with servers using a graphical interface. The example in this guide uses Cyberduck, but there are many other options. Some, such as the popular FileZilla client, are free, and others have associated costs. These instructions should generally apply to other FTP programs as well.

1. If you don't already have Cyberduck, the client can be downloaded for free from their website. Download Cyberduck and install it using the packaged installer.

In order to connect to your database, you will need to use an SSH tunnel through one of your machines. All environments designed by Media Temple use industry best practices for security. This means no database is publicly accessible, and is always located in private network subnets. Using a tool like MySQL Workbench makes it easy for you to connect to your database and retrieve info if needed. There are other clients that can be used, some are free, some are not. We’re choosing to give our example with MySQL Workbench.

1. Begin by downloading and installing MySQL Installer. This is Oracle's install program and allows you to select which MySQL version and related applications you need. Make sure you pick the right installer version for your OS.

Once the MySQL installer is running, you'll be presented with several different install options. The easiest install is to select Custom from the list and then manually add only WorkBench to the install list.

The pre-selected "Default Developer" install includes several applications beyond MySQL Workbench that you may not need. You can use this option, but these additional applications may have dependencies that need to be installed. If so, you will be prompted by the installer and linked to their respective downloads.

2. Click the (+) icon to create a new connection. Give your connection a name and set the connection type to “Standard TCP/IP over SSH”.

3. Enter the details from the environment document sent to you by your Media Temple support team.

You will enter in 2 sets of information. The first set is for the host computer you are connecting to, and the 2nd set is for the DB itself.

Host info:

SSH Hostname: This information is listed in your environment document. The IP of the host will be the Elastic IP address given for the Production web-node or the Elastic IP address for the Dev web-node. This will determine to which database you are connecting. The Production EIP can only reach the Production DB, and vice versa for Dev.

Username: For AWS managed by Media Temple, this is your domain.

Password: There is no password for the host computer.

SSH Key File: Select your Private Key PEM file. If you don't have one, refer to the steps in this article for creation.

Database Connection Info:

MySQL Hostname:The DB hostname should be “rds.internal.dns” or “rds-main.internal.dns” depending on the age of your environment, but check your Environment Document to confirm.

4. Click on Test Connection. You will then be prompted to enter the password for your private key. The first time you connect, you will also receive a SSH Server Fingerprint Missing notification. Click continue.

5. After the test is successful, click Ok to save your new connection. You may now double click on the connection tile to connect to your DB. For additional help using Workbench, refer to the official documentation.

Mac or Linux

Key Creation

This guide assumes that you do not already have key pairs. If you have a key pair and you are certain that it is still secure, send the public key (.pub) file to Media Temple via your service portal.

1. Begin by determining if you already have a key on your computer. Open the Terminal App for Mac or any other shell program.

2. Run the following command:

ls ~/.ssh/id*

If the path does not exist, or if you do not have any matching files in the directory, you likely don’t have a key.

The default names for key pairs generated via a bash terminal are id_rsa – this is your private key, and id_rsa.pub – this is your public key. If you have a suitable key, you can skip to step 6.

3. Run the following command to create a key, adding your email at the end:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

4. You will be asked to pick a path. You can use the default path by hitting enter.

5. You will be asked to select a password. This password will be required anytime that you use the key. This isn't required and can be skipped by pressing enter, but it will significantly reduce the security of your key pair. Media Temple strongly recommends that you supply a password for your key pairs.

6. In order to use your new SSH key to connect to your AWS server, you must send your public key –id_rsa.pub – to Media Temple. The easiest way to do this is to log in to your service portal and click on User Access. Either upload the id_rsa.pub file to the ticket or open the file and copy/paste the contents into the ticket. After this, please allow up to 12 hours for your SSH keys to be added to your account.

Important: If you are asked to send your SSH Key or Public Key to Media Temple (or anyone else), you will only want to send the PUBLIC key file, which is the file with the “.pub” extension, i.e.: ~/.ssh/id_rsa.pub - If you email out the Private Key, it is no longer secure and should be replaced! Never transfer your Private Key off of your computer at any time!

Key Use

After Media Temple has received and confirmed the installation of your keys, you're ready to use them to connect to your server.

There are 3 primary ways to connect to your AWS services.

SSH - Used to issue commands to the server via a shell (terminal).

SFTP - Used to upload/download files. FTP is not allowed due to its relative lack of security.

MySQL - Allows you to query your data in the database.

SSH/SFTP - Connect with Terminal

These instructions explain how to connect to your AWS server using a terminal application. SSH allows for general server administration and SFTP is for exchanging information with your server. For general help with terminal commands and the basic Linux file structure, see this community article.

1. Open the Terminal app (Mac), or a shell (Linux). Refer to your environment document in order to get the proper IP address and username for the website you wish to connect. The environment document is the document sent to you by your Media Temple support team detailing the specifics of your AWS environment and how to connect. The username will be the same as the domain name.

2. Run one of the following commands depending on the connection type (with your proper domain name information inserted):

For SSH:ssh mydomain.com@host.mydomain.com

For SFTP:

sftp mydomain.com@host.mydomain.com

You may encounter an unknown key warning. If prompted, type "yes". This will only happen the first time you connect.

Example output from a successful connection:

This will put you into the home directory of your user. By default this is: /home/mydomain.com

The default path for the web-root for your app should be at the following path: /home/mydomain.com/mydomain.com

SFTP - Connect with FileZilla

Applications like FileZilla and Cyberduck make it easy to exchange information with servers using a graphical interface. The example in this guide uses FileZilla, but there are many other options. Some, such as the popular Cyberduck client, are free, and others have associated costs. These instructions should generally apply to other FTP programs as well.

1. If you don't already have FileZilla, the client can be downloaded for free from their website. Download FileZilla and install it using the packaged installer.

2. Open FileZilla and then select Settings from the FileZilla dropdown menu in the top left corner. From the settings menu, select SFTP and add your SSH keys by clicking on Add key file.

3. Hold command+shift+g to bring up a search field. Type ~/.ssh into the field and press ok.

4. Select id_rsa from the list and click open.

5. You may be prompted to create a converted copy of your key. Click Yes and type in the password for your key.

6. Now that you have your keys, close the settings page and fill in your connection details.

Host: Your IP from the AWS environment details document that was sent to you by your Media Temple support team. Your development and production servers will have different IPs, but you will use the same SSH key to connect to them.

Username: Your domain name.

Password: This is left blank. Do not put your SSH key password into this field.

Port: 22

7. Click on Quickconnect. If the connection is successful, you will receive a status readout of "Directory listing of "/home" successful."

For additional information on how to use FileZilla and other FTP clients, refer to this community article.

MySQL - Connect with Workbench

In order to connect to your database, you will need to use an SSH tunnel through one of your machines. All environments designed by Media Temple use industry best practices for security. This means no database is publicly accessible, and is always located in private network subnets. Using a tool like MySQL Workbench makes it easy for you to connect to your database and retrieve info if needed. There are other clients that can be used, some are free, some are not. We’re choosing to give our example with MySQL Workbench.

1. Begin by downloading and installing MySQL Workbench. Make sure you pick the right version for your OS.

2. Click the (+) icon to create a new connection. Give your connection a name and set the connection type to “Standard TCP/IP over SSH”.

3. Enter the details from the environment document sent to you by your Media Temple support team.

You will enter in 2 sets of information. The first set is for the host computer you are connecting to, and the 2nd set is for the DB itself.

Host info:

SSH Hostname: This information is listed in your environment document. The IP of the host will be the Elastic IP address given for the Production web-node or the Elastic IP address for the Dev web-node. This will determine to which database you are connecting. The Production EIP can only reach the Production DB, and vice versa for Dev.

Username: For AWS managed by Media Temple, this is your domain.

Password: There is no password for the host computer.

SSH Key File: Select your Private Key PEM file. If you don't have one, refer to the steps in this article for creation.

Database Connection Info:

MySQL Hostname:The DB hostname should be “rds.internal.dns” or “rds-main.internal.dns” depending on the age of your environment, but check your Environment Document to confirm.

4. Click on Test Connection. You will then be prompted to enter the password for your private key. The first time you connect, you will also receive a SSH Server Fingerprint Missing notification. Click continue.

5. After the test is successful, click Ok to save your new connection. You may now double click on the connection tile to connect to your DB. For additional help using Workbench, refer to the official documentation.